update project routes. add auth checks to controllers.

OneCommunityGlobal · Nov 7, 2023 · ec5d405 · ec5d405
1 parent 0058b42
commit ec5d405
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 17 deletions.
diff --git a/src/controllers/bmdashboard/bmProjectController.js b/src/controllers/bmdashboard/bmProjectController.js
@@ -1,10 +1,21 @@
+// TODO: uncomment when executing auth checks
+// const jwt = require('jsonwebtoken');
+// const config = require('../../config');
+
 const bmMProjectController = function (BuildingProject) {
-  // fetches all projects by building manager id
+  // TODO: uncomment when executing auth checks
+  // const { JWT_SECRET } = config;
+
   const fetchAllProjects = async (req, res) => {
-    const { userId } = req.params;
-     try {
+    //! Note: for easier testing this route currently returns all projects from the db
+    // TODO: uncomment the lines below to return only projects where field buildingManager === userid
+    // const token = req.headers.authorization;
+    // const { userid } = jwt.verify(token, JWT_SECRET);
+    try {
       const projectData = await BuildingProject
-        .find({ buildingManager: userId })
+        // TODO: uncomment this line to filter by buildingManager field
+        // .find({ buildingManager: userid })
+        .find()
         .populate([
           {
             path: 'buildingManager',
@@ -26,7 +37,11 @@ const bmMProjectController = function (BuildingProject) {
 
   // fetches single project by project id
   const fetchSingleProject = async (req, res) => {
-    const { userId, projectId } = req.params;
+    //! Note: for easier testing this route currently returns the project without an auth check
+    // TODO: uncomment the lines below to check the user's ability to view the current project
+    // const token = req.headers.authorization;
+    // const { userid } = jwt.verify(token, JWT_SECRET);
+    const { projectId } = req.params;
     try {
       BuildingProject
         .findById(projectId)
@@ -41,16 +56,18 @@ const bmMProjectController = function (BuildingProject) {
           },
         ])
         .exec()
-        .then((project) => {
-          // authenticate request by comparing userId param with buildingManager id field
-          // ObjectId must be converted to string
-          if (userId !== project.buildingManager._id.toString()) {
-            return res.status(403).send({
-              message: 'You are not authorized to view this record.',
-            });
-          }
-          return res.status(200).send(project);
-        })
+        .then(project => res.status(200).send(project))
+        // TODO: uncomment this block to execute the auth check
+        // authenticate request by comparing userId param with buildingManager id field
+        // Note: _id has type object and must be converted to string
+        // .then((project) => {
+        //   if (userid !== project.buildingManager._id.toString()) {
+        //     return res.status(403).send({
+        //       message: 'You are not authorized to view this record.',
+        //     });
+        //   }
+        //   return res.status(200).send(project);
+        // })
         .catch(error => res.status(500).send(error));
     } catch (err) {
       res.json(err);

diff --git a/src/routes/bmdashboard/bmProjectRouter.js b/src/routes/bmdashboard/bmProjectRouter.js
@@ -4,10 +4,10 @@ const routes = function (buildingProject) {
   const projectRouter = express.Router();
   const controller = require('../../controllers/bmdashboard/bmProjectController')(buildingProject);
 
-projectRouter.route('/projects/:userId')
+projectRouter.route('/projects')
   .get(controller.fetchAllProjects);
 
-projectRouter.route('/projects/:userId/:projectId')
+projectRouter.route('/project/:projectId')
   .get(controller.fetchSingleProject);
 
   return projectRouter;